WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1001Portfolio, Gallery, Product Catalog – Grid KIT Portfolio31613296k+Non-prefixed global variable
#1002Active Products Tables for WooCommerce. Use constructor to create tables313644241k+Output is not escaped
#1003Push notification for Mobile and Web app318783400Non Singular String Literal Domain
#1004Raffle Play Woocommerce31151199800Output is not escaped
#1005Rank Math SEO – AI SEO Tools to Dominate SEO Rankings31453734m+Non-prefixed global variable
#1006Social Share Buttons314621561k+Text Domain Mismatch
#1007Page Builder by SiteOrigin31226214400k+Output is not escaped
#1008Slider Carousel – Image Slider312241,2333k+Request data is not unslashed
#1009Smart Keywords Tool – 智能关键词插件3136133600Non Singular String Literal Domain
#1010Staatic – Static Site Generator for WordPress314201952k+SQL query is not prepared
#1011WP Testimonials3118345510k+Non-prefixed global variable
#1012Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification312848302k+Missing nonce verification
#1013Web Push Notifications – Webpushr3116929310k+Output is not escaped
#1014WooCommerce Legacy REST API31324177400k+Missing Translators Comment
#1015Tooltips for WordPress313122525k+Output is not escaped
#1016WPGatsby31125553k+Text Domain Mismatch
#1017WP Visitor Statistics (Real Time Traffic)3135369120k+Nonce verification recommended
#1018WP ULike – Like & Dislike Buttons for Engagement and Feedback3126935860k+Output is not escaped
#1019WP125311781843k+Unsafe printing function
#1020Hosting Benchmark tool312021154k+rand rand
#1021One to one user Chat by WPGuppy3174187700Non-prefixed global variable
#1022WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite31133438600Non-prefixed global variable
#1023ActiveDEMAND321571611k+Output is not escaped
#1024Advanced Access Manager – Access Governance for WordPress3284962100k+Output is not escaped
#1025AI Alt Text Generator3276241k+Missing Translators Comment
#1026annasta Filters for WooCommerce321,0734412k+Text Domain Mismatch
#1027APCu Manager3215112610k+Output is not escaped
#1028Author Avatars List/Block32851354k+Non-prefixed hook name
#1029Auto YouTube Importer323381731k+Text Domain Mismatch
#1030BuddyPress for LearnDash321902841k+Output is not escaped
#1031Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler32147319400Direct Query
#1032Code Manager32217261500Nonce verification recommended
#1033Vimeotheque – Vimeo WordPress Plugin & Video Gallery326422642k+Unsafe printing function
#1034CSV Import and Exporter32831381k+Non-prefixed global variable
#1035Fable Extra32792824k+Non-prefixed global variable
#1036FA Lite – WP responsive slider plugin32726140500Unsafe printing function
#1037Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages32537739k+Nonce verification recommended
#1038WP Gravity Forms HubSpot32771160600Text Domain Mismatch
#1039CRM Perks Integration for Gravity Forms and Salesforce328071781k+Text Domain Mismatch
#1040WP Gravity Forms Zoho CRM and Bigin32750174400Text Domain Mismatch
#1041GlotPress32403103500Unsafe printing function
#1042GraphComment Comment system32217225400Unsafe printing function
#1043GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync)321201458k+Non-prefixed global variable
#1044Gwolle Guestbook3226952720k+Output is not escaped
#1045Honeypot Toolkit32155770400Missing nonce verification
#1046HTML5 jQuery Audio Player322511531k+Unsafe printing function
#1047HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce3239614220k+Output is not escaped
#1048Manager for IcoMoon3227068400Short PHP open tag found
#1049MapPress Maps for WordPress3269513330k+Missing Arg Domain
#1050Organization chart321873345k+SQL query is not prepared